Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Defence

What Happens If I Have a Data Breach?

Quick Answer

If personal data is compromised and there's risk to individuals, you must report to the ICO within 72 hours. High-risk breaches also require notifying affected individuals. Don't panic, but don't delay.

Quick answer: If personal data is compromised and there's risk to individuals, you must report to the ICO within 72 hours. High-risk breaches also require notifying affected individuals. Don't panic, but don't delay.

The 72-Hour Clock

Under UK GDPR, if a breach is "likely to result in a risk to the rights and freedoms of individuals," you must report to the ICO within 72 hours of becoming aware of it.

72 hours isn't much time. The clock starts when you know about the breach, not when you've finished investigating.

Do You Need to Report?

Yes, report to ICO if:

  • Personal data was accessed by unauthorised people
  • Personal data was lost or stolen
  • Personal data was accidentally sent to the wrong person
  • There's a realistic chance of harm to individuals (identity theft, financial loss, reputational damage)
No report needed if:
  • No personal data was involved
  • The breach is unlikely to result in risk to individuals
  • Data was encrypted and keys weren't compromised
When in doubt, report. You can report with incomplete information and update later. Not reporting something you should have is worse.

Step by Step

Immediately

  1. Contain the breach - Stop it getting worse
  2. Assess what happened - What data? How many people? How did it happen?
  3. Start documenting - You need records regardless of whether you report

Within 72 hours

  1. Decide if ICO reporting is required - Use the ICO's self-assessment tool if unsure
  2. Report to ICO if required - Online at ico.org.uk
  3. Assess if individuals need notification - High-risk breaches require telling affected people

After

  1. Complete investigation - Understand root cause
  2. Notify individuals if required - Without undue delay
  3. Review and improve - Stop it happening again
  4. Document everything - Even breaches you don't report to ICO must be logged internally

What to Tell the ICO

The initial report needs:

  • Nature of the breach (what happened)
  • Categories and approximate number of people affected
  • Categories and approximate number of records affected
  • Name and contact details of your DPO or contact point
  • Likely consequences
  • Measures taken or proposed
You can update this as you learn more.

When to Notify Individuals

If the breach is "likely to result in a HIGH risk" to individuals, you must also tell them directly. This means:

  • Likely significant impact on them
  • Financial loss, identity theft, discrimination, reputational damage
Notification should include what happened, what you're doing about it, and what they can do to protect themselves.

Common Mistakes

Waiting too long: The 72 hours runs from awareness, not from completing investigation.

Not documenting: Every breach must be logged internally, even if not reported to ICO.

Burying it: Staff need to know to report potential breaches internally. If they hide problems, you can't respond in time.

Over-reporting: Not every incident needs ICO reporting. Minor incidents with no real risk don't require it.

What We Help With

Incident response is part of what we do. When breaches happen to our managed clients, we help:

  • Contain and investigate the breach
  • Assess reporting requirements
  • Prepare ICO notifications
  • Handle technical remediation
  • Improve defences to prevent recurrence
Having an incident response process before you need it makes the 72-hour window much less stressful.

---

*Disclaimer: This is general guidance, not legal advice. Data breach reporting requirements depend on your specific circumstances. Consult with legal counsel for advice on your obligations. Regulatory requirements may change—verify current ICO guidance.*

---

- we can help with response and reporting.

---

Related Questions